Interpreting APR Virus

I. ARP Virus

ARP Address Spoofing virus (ARP virus) is a special type of virus, which generally belongs to a Trojan (Trojan) virus. It does not have the characteristics of active transmission and does not replicate itself. However, during the attack, it will send forged ARP packets to the whole network to interfere with the operation of the whole network. Therefore, it is more harmful than some worms.

Ii. ARP virus attack

The network is disconnected, but the network connection is normal. Some PCs in the Intranet cannot access the Internet, or all computers cannot access the Internet, the web page cannot be opened or the web page is slow, the LAN is interrupted and the network speed is slow.

Iii. ARP virus principles

3.1 network model Overview

As we all know, according to the OSI (Open Systems Interconnection Reference Model), network Systems can be divided into seven layers, each of which runs different protocols and services, in addition, the upper and lower layers work together to complete the network data exchange function. 1:

However, the OSI model is just a reference model, not a model applied in the actual network. In fact, the most widely used commercial network model, namely the TCP/IP system model, divides the network into four layers, and each layer also runs different protocols and Services, 2.

　　

Figure 2 TCP/IP layer-4 architecture model and its supporting protocols

. As shown in figure 2, the ARP protocol we will discuss soon is the protocol working on the Internet layer.

　3.2 ARP

As we all know, in a LAN, to communicate with another host, you must know the IP address of the target host, however, physical devices, such as NICs, responsible for transmitting data in the LAN, do not recognize IP addresses. They can only recognize their hardware addresses, that is, MAC addresses. The MAC address is 48 bits, usually expressed as 12 hexadecimal numbers. Each two hexadecimal numbers are separated by "-" Or colons, for example: 00-0B-2F-13-1A-11 is a MAC address. Each network card has a unique MAC address in the world. data can only be sent from one network card to another based on the MAC address of the other network card, in this case, a protocol is required to convert the IP address in the upper-layer data packet to the lower-layer MAC address, and this important task will be completed by the ARP protocol.

ARP is called Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the IP address of the target host to the MAC address of the target host before sending data packets. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication. In this case, there is a problem. There are only a few computers in a LAN and hundreds of computers. How can we accurately remember the MAC address of the other computer's Nic between so many computers, so that data can be sent? This involves another concept, ARP cache table. Any host on the LAN has an ARP cache table, which stores the control relationship between the IP addresses of each computer on the network and the MAC addresses. When this host sends data to another host in the same LAN, it will send data according to the corresponding relationship in the ARP cache table.

Next, we use a simulated LAN environment to illustrate the ARP spoofing process.

　　3.3 ARP spoofing Process

Assume that a LAN consisting of only three computers is connected by a Switch. One computer is named A, which represents the attacker. One computer is called S, which represents the source host, that is, the computer that sends data. The other computer is named D, which represents the target host, that is, the computer that receives data. The IP addresses of these three computers are 192.168.0.2, 192.168.0.3, and 192.168.0.4. The MAC addresses are MAC_A, MAC_S, and MAC_D respectively. Its network topology environment is 3.

　　

Figure 3 network topology

Now, the S computer is going to send data to the D computer. Inside the S computer, the upper layer TCP and UDP packets have been transmitted to the bottom layer of the network interface layer, and the packets will be sent soon, however, you do not know the MAC address MAC_D of the target host D. At this time, the S computer needs to first query its own ARP cache table to check whether there is a MAC address of 192.168.0.4 in the computer. If there is a MAC address, it is very easy to do, it will be encapsulated outside the data packet. Send it directly. If no, then the S computer will send an ARP broadcast packet to the entire network and ask loudly: "My IP address is 192.168.0.3 and the hardware address is MAC_S, what is the hardware address of the host whose IP address is 192.168.0.4?" At this time, all the computers on the network have received the ARP broadcast package, including computer A and computer D. As soon as computer A sees that the IP address to be queried is not its own, it discards the packet and ignores it. When computer D looks at its own IP address, he will reply to computer S: "My IP address is 192.168.0.4 and my hardware address is MAC_D." note that, this message is answered separately, that is, the D computer sends the message to the S Computer separately, not the broadcast just now. Now the S computer knows the MAC address of the target computer D. It can paste the target address MAC_D on the packet to be sent and send it out. At the same time, it will dynamically update its ARP cache table and add the 192.168.0.4-MAC_D record. In this way, when the S computer sends data to the D computer next time, you don't have to send ARP broadcast packets out loud. This is the normal packet sending process.

This mechanism looks perfect, and it seems that the entire LAN is peaceful and safe. However, the above-mentioned data transmission mechanism has a fatal defect, that is, it is built on the full trust of computers in the LAN, that is, its assumptions are as follows: the ARP packets sent by the computer on the LAN are correct. This is very dangerous! Because not all computers in the LAN are isolated, there are often illegal ones. For example, during the above data transmission, when the computer S asks the whole network, "I want to know what is the hardware address of the host whose IP address is 192.168.0.4 ?" Computer D also responded to its correct MAC address. However, at this time, computer A, which has never been speechless, also replied: "My IP address is 192.168.0.4, and my hardware address is MAC_A." Note, at this time, it impersonates itself as the IP address of computer D, and the MAC address is actually written as its own! As computer A keeps sending such response packets, the ARP cache table of computer S has already saved the correct record: 192.168.0.4-MAC_D. However, computer A keeps responding, at this time, computer S does not know that the packets sent by computer A are forged. As A result, computer S dynamically updates its ARP cache table, which is recorded as 192.168.0.4-MAC_A. Obviously, this is an error record (this step is also called ARP cache table poisoning), which leads to data sent from any computer S to the computer D, that is, the host whose IP address is 192.168.0.4, will be sent to the host whose MAC address is MAC_A. In this way, computer A hijacked the data sent from computer S to computer D! This is the process of ARP spoofing.

If the computer A is doing too much, instead of impersonating the computer D, but impersonating the gateway, what would happen? We all know that if a computer in a LAN needs to connect to the Internet, that is, when you log on to the Internet, it must be forwarded through the gateway in the LAN. All the data sent and received must first go through the gateway, then, the gateway sends messages to the Internet. In a LAN, the IP address of the gateway is 192.168.0.1. If the computer A keeps sending ARP spoofing broadcasts to the whole network, he says, "My IP address is 192.168.0.1, my hardware address is MAC_A. At this time, other computers in the LAN are not aware of anything, because the premise of LAN communication is to trust any computer's ARP broadcast package. In this way, other computers in the LAN will update their ARP cache tables and record records such as 192.168.0.1-MAC_A. In this way, when they send data to the gateway, that is, the IP address is 192.168.0.1, the results will be sent to MAC_A! In this way, computer A will listen to the packets sent from the entire LAN to the internet!

In fact, this virus has long appeared, which is ARP Address Spoofing virus. Some legendary Trojans (Trojan/PSW. LMir) has this feature. This Trojan is generally poisoned by a computer in the LAN by means of a legend plug-in or webpage Trojan, so that the computer can sniff all packets sent from the LAN, the trojan breaks the data packet encryption algorithm of the legend game. It intercepts data packets in the LAN, analyzes the user privacy information in the data packets, and steals the user's game account and password. After resolving these packets, send them to the real gateway. Such a virus is named "legend Internet cafe Killer "!
Iv. New Forms of ARP Virus

Since the network game data packets are being sent, they all adopt powerful encryption algorithms, so this type of ARP virus encountered a great deal of difficulty in data packet decryption. Now there is a new ARP virus, which, like before, also sends spoofed ARP spoofing broadcasts to the whole network, disguising itself as a gateway. However, the difference is that it focuses not on the decryption of online game data packets, but on the modification of HTTP Request access.

HTTP is the application layer protocol and is mainly used for WEB page access. For the above LAN environment example, if a computer S in the LAN needs to request a website page, if you want to request the webpage www.sina.com.cn, the computer will first send an HTTP request to the gateway, saying: "I want to log on to www.sina.com.cn. Please download this page and send it to me." In this way, the gateway downloads the www.sina.com.cn page and sends it to the S computer. At this time, if the computer A sends A spoofed ARP spoofing broadcast to the whole network, it disguise itself as A gateway and becomes an ARP poisoning computer, then when the computer S requests a web page, computer A first downloads this page with good intentions and sends it to computer S. However, when it returns to computer S, it inserts A malicious URL Connection to it! The malicious Web site connection will take advantage of MS06-014 and MS07-017 and other system vulnerabilities, to S computer Trojan virus! Similarly, if computer D also requests WEB page access, computer A will also return A virus-infected webpage to computer D. In this way, if such an ARP virus exists in a lan, computers in the entire network segment will be completely poisoned! Become a zombie in the hands of hackers!

Case:

According to an enterprise user, no matter which website the user accesses, The KV antivirus software reports the virus: Exploit. ANIfile. o.